結合FAIR與NIST資安框架分析資安風險：以醫療產業為例

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：71

、訪客IP：18.118.10.141

姓名

徐昊宇(Hao-Yu Syu) 查詢紙本館藏

畢業系所

土木工程學系

論文名稱

結合FAIR與NIST資安框架分析資安風險：以醫療產業為例

相關論文

★ 國際巨災保險制度之研究	★ 我國推動地方層級災害防救專責單位之問題探討-以桃園縣為例
★ 公共危險物品保安監督之探討-以新竹縣為例	★ 長期照顧機構消防安全設計與防火避難設施之研究
★ 考慮土壤結構互制效應並裝設減振裝置的高層建築氣動力反應之研究	★ 結合模糊控制與類神經網路探討非線性結構控制的穩定性
★ 觀光產業天然災害風險評估與管理	★ 天然災害風險管理決策方法建立—以地震災害為例
★ 颱洪災害風險評估推測事件資料庫之建置及應用	★ 火災現場指揮幕僚運作探討-以桃園市政府消防局為例
★ 科學園區地震緊急應變計畫之研擬	★ 地震災害風險評估及地震保險之風險管理
★ 園區建築物耐震能力評估	★ 整合性多目標地震風險評估系統之建立
★ 適應性模糊滑動模態控制在結構工程上應用之研究	★ 高樓結構裝設調和液柱阻尼器減振效應之風洞實驗研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著網路的蓬勃發展，各國之資安風險逐年上升，因此保險產業也積極在資安領域發展保險市場，但台灣之保險產業至今於該領域發展仍有限，原因在於對資安風險之歸類與衡量了解不足。事實上即便在資安保險起步較早的美國，保險業者也並未對於自身之風險評估模型抱持足夠信心，台灣有類似狀況自然也不足為奇。

本研究將先彙整與介紹各種資安風險事件之分類、頻率、途徑、損失狀況、嚴重性分級等，並以現實或假想案例具體重現情境，不僅可供保險公司設計產品及擬定保費時參考，也可被投保企業做為研擬資安對策時的依據。之後則講解Jack Freund與Jack Jones發展之FAIR(factor analysis of information risk)模型，以及NIST(National Institute of Standards and Technology)之資安框架，再根據論文前半部提及的資料擬定FAIR之參數，並結合NIST之資安框架，以醫療機構為例評估其資料外洩時的風險大小，最後再進一步模擬保險公司以風險值求取保費的過程，以供其參照。

研究結果呈現了以醫療產業為例的分析成果，且由於業務性質的相似性，我們可預期本研究的風險評估流程也可套用於許多其他類型的投保企業。此外，各產業遭遇不同資安事件時的損失型態差異也已列表整理，不論是投保企業或保險公司，皆可以此為基礎調整營運方針。

摘要(英)

With the vigorous development of the cyber activity, the cyber risks of various countries have increased yearly. Therefore, the insurance industry is also actively developing the insurance market in the cyber security field. However, in Taiwan, the development of insurance industry in this field is still limited due to insufficient understanding of classification and measurement of cyber risks. In fact, even in the United States, where cyber insurance started early, insurers did not have enough confidence in their own risk assessment model. It is not surprising that Taiwan is in such a predicament.

This research will first summarize and introduce the classification, frequency, approach, loss status, severity classification, etc. of various cyber risk events, and use real or hypothetical cases to specifically reproduce the situation, which can not only be used as a reference for insurance enterprises when designing products and drawing up premiums, but also be used by the insured enterprises as a basis for the research and development of cyber security policies. After that, this research will explain FAIR (Factor Analysis of Information Risk) model developed by Jack Freund and Jack Jones, and NIST (National Institute of Standards and Technology) cyber security framework, then draw up the parameters in FAIR based on the information mentioned in the first half of the paper, and combined with NIST cyber security framework, several medical institutions are used as examples to evaluate the risk of data breach, and finally the process of insurers obtaining premiums based on risk value is further simulated for their reference.

The research results show the consequences of the analysis taking medical industry as example, and due to the similarity of business, we can expect that the process of risk assessment in this research can also be applied to many other types of insured industries. Besides, types of losses experienced by diverse industries in various cyber incidents have also been tabulated. That can be used by insureds or insurers as a basis to adjust operating policies.

關鍵字(中)

★ 資安風險
★ 資安保險
★ 保費計算
★ 資料外洩
★ FAIR
★ NIST

關鍵字(英)

★ cyber security
★ cyber insurance
★ assessment of premium
★ data breach
★ FAIR
★ NIST

論文目次

第一章緒論 1
1.1 研究動機、目的與內容 1
1.2 投保者分類 3
1.2.1 依產業類型歸類 3
1.2.2 依產業規模歸類 4
第二章資安損失類型 6
2.1 資料外洩 6
2.1.1 資料類型與外洩量嚴重性 6
2.1.2 外洩事件紀錄 7
2.1.3 資料外洩頻率與資料量 8
2.1.4 駭客經濟 9
2.1.5 資料外洩之通報機制 10
2.1.6 資料外洩之細部統計 14
2.1.7 資料外洩的損失 16
2.1.8 資料外洩事件之分區 17
2.1.9 資料外洩案例 18
2.2 資訊勒索 19
2.2.1 曾出現的勒索軟體 20
2.2.2 資訊勒索的嚴重性 21
2.2.3 資訊勒索紀錄 22
2.2.4 資訊勒索細部統計 23
2.2.4 資訊勒索案例 25
2.3 拒絕服務攻擊 26
2.3.1 拒絕服務攻擊類型 26
2.3.2 流量拒絕服務攻擊強度 27
2.3.3 拒絕服務攻擊造成之網路中斷嚴重性 27
2.3.4 拒絕服務攻擊之細部統計 28
2.3.5 拒絕服務攻擊案例 29
2.4 多層次破壞 30
2.4.1 資訊縱火 31
2.4.2 公用事業失效 35
2.4.3 雲端服務失效 41
2.4.3 拒絕運輸攻擊 45
2.5 資金傳輸系統遭攻破 47
第三章研究方法與工具 50
3.1 FAIR 51
3.1.1名詞解釋 51
3.1.2 損失類型 55
3.1.3 威脅社群與側寫 56
3.1.4 實作流程 57
3.1.5 注意事項 60
3.2 依經驗與FAIR手冊建議界定數值 61
3.2.1 PoA與Diff 61
3.2.2 CF與TCap 61
3.2.3 應變成本參數設置 62
3.2.4 名譽與法務損失所佔收益比 62
3.3 NIST之資安框架，供投保企業自評Diff值 63
3.4 FAIR之運算軟體介紹 68
3.4.1 Open Group之運算用XML檔 68
3.4.2 台灣風險管理公司之FAIR運算軟體 70
3.4.3 蒙地卡羅法 74
第四章研究結果 75
4.1 各產業遭遇各種資安事件時之損失型態可能性 75
4.1.1 遭遇資料外洩與資訊勒索事件時之損失型態可能性 75
4.1.2 遭遇拒絕服務攻擊事件時之損失型態可能性 77
4.1.3 遭遇多層次破壞事件 79
4.2 醫院各項損失之幅度 80
4.3 醫院以NIST資安框架自評結果換算得之Diff值 82
4.4 輸入FAIR軟體獲得風險值 83
4.4.1 Open Group提供之XML檔輸出結果 83
4.4.2 台灣風險管理公司之軟體輸出結果 85
4.5 由軟體輸出結果估算保費 87
第五章結論與建議 88
5.1 結論 88
5.2 建議 89

參考文獻

2017 Cyber Risk Landscape, p.12, Risk Management Solutions, Inc.

https://tw.appledaily.com/international/20210508/Q2FQQ6KCWRHX5KDRH23BZQHF6A/

https://udn.com/news/story/6811/5450840

2017 Cyber Risk Landscape, p.20, Risk Management Solutions, Inc.

https://ec.ltn.com.tw/article/paper/1444465

A Guide to Cyber Risk, p.4, Allianz Global Corporate & Specialty

A Guide to Cyber Risk, p.7, Allianz Global Corporate & Specialty

Cyber Risk Outlook, Risk Management Solutions, Inc., p.31

A Guide to Cyber Risk, p.5, Allianz Global Corporate & Specialty

Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones, ”Content analysis of cyber insurance policies: how do carriers price cyber risk?”, Journal of Cybersecurity, Vol. 5, No. 1, p.2, RAND Corporation, 2019

https://www.cna.com.tw/news/afe/201909140070.aspx

Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones, ”Content analysis of cyber insurance policies: how do carriers price cyber risk?”, Journal of Cybersecurity, Vol. 5, No. 1, p.13, RAND Corporation, 2019

https://qualitestgroup.com/insights/white-paper/data-breach-patterns-across-industries-and-time

https://www.hipaajournal.com/healthcare-data-breach-statistics/

https://www.taiwannews.com.tw/ch/news/2364722

https://news.ltn.com.tw/news/life/breakingnews/2550469

https://www.ithome.com.tw/news/144606

Managing Cyber Insurance Accumulation Risk, p.18, Risk Management Solutions, Inc.

Managing Cyber Insurance Accumulation Risk, p.14, Risk Management Solutions, Inc.

https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=J0140003

https://www.nhi.gov.tw/DL.aspx?sitessn=292&u=LzAwMS9VcGxvYWQvMjkyL3JlbGZpbGUvMC8xNDU5NTkv5o%2bQ5aCxMTA45bm06LKh5YuZ5aCx5ZGK6Yar6Zmi6Yar55mC5pyN5YuZ55Sz5aCx5oOF5b2iLeWFqOeQg%2bizh%2bioiue2suS4iue2si5vZHM%3d&n=5o%2bQ5aCxMTA45bm06LKh5YuZ5aCx5ZGK6Yar6Zmi6Yar55mC5pyN5YuZ55Sz5aCx5oOF5b2iLeWFqOeQg%2bizh%2bioiue2suS4iue2si5vZHM%3d&ico%20=.ods

Managing Cyber Insurance Accumulation Risk, p.25, Risk Management Solutions, Inc.

Managing Cyber Insurance Accumulation Risk, p.26, Risk Management Solutions, Inc.

Managing Cyber Insurance Accumulation Risk, p.27, Risk Management Solutions, Inc.

Benjamin Edwards, Steven Hofmeyr and Stephanie Forrest, ” Hype and heavy tails: A closer look at data breaches”, Journal of Cybersecurity, Vol. 2, No. 1, RAND Corporation, 2016

Managing Cyber Insurance Accumulation Risk, p.30, Risk Management Solutions, Inc.

Guidelines 01/2021 on Examples regarding Data Breach Notification, European Data Protection Board

2021 Data Breach Investigations Report (DBIR), Verison
https://www.ithome.com.tw/news/105160

Managing Cyber Insurance Accumulation Risk, p.52~ p.58, Risk Management Solutions, Inc.

The state of ransomware 2020, Sophos

https://www.ithome.com.tw/news/143958

https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/

Managing Cyber Insurance Accumulation Risk, p.33~p.37, Risk Management Solutions, Inc.

Quarterly DDoS Attack Report, Radware

https://www.f5.com/labs/articles/threat-intelligence/ddos-attack-trends-for-2020

https://www.eweek.com/security/sony-data-breach-was-camouflaged-by-anonymous-ddos-attack/

https://www.pcmag.com/archive/playstation-hack-to-cost-sony-171m-quake-costs-far-higher-264796

https://www.ithome.com.tw/node/68865

https://arstechnica.com/gadgets/2011/07/how-charlie-miller-discovered-the-apple-battery-hackhow-a-security-researcher-discovered-the-apple-battery-hack/

https://gizmodo.com/new-hack-can-trick-power-bricks-into-starting-fires-1844441247

https://zh.wikipedia.org/wiki/%E9%9C%87%E7%BD%91

https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html

https://ithelp.ithome.com.tw/articles/10186904

https://en.wikipedia.org/wiki/Operation_Chastise
https://en.wikipedia.org/wiki/Hwacheon_Dam

https://en.wikipedia.org/wiki/Attack_on_the_Sui-ho_Dam

https://www.itsfun.com.tw/%E7%9F%B3%E5%A2%A8%E7%82%B8%E5%BD%88/wiki-7655216-7562195

https://www.techbang.com/posts/42951-ukraines-power-system-has-been-hit-by-phishing-and-discussions-about-how-to-strengthen-security

https://www.ithome.com.tw/news/114880

https://www.ithome.com.tw/news/142702

https://www.ithome.com.tw/news/142729

https://www.ithome.com.tw/news/138971

https://www.ithome.com.tw/news/144276

Managing Cyber Insurance Accumulation Risk, p.40~ p.43, Risk Management Solutions, Inc.

https://blog.trendmicro.com.tw/?p=55029

https://nos.nl/artikel/2343025-nederlandse-onderzoekers-manipuleren-verkeerslichten-met-virtuele-fietsers

https://www.hk01.com/%E4%B8%AD%E5%9C%8B/34570/%E8%B6%8A%E5%8D%97%E6%A9%9F%E5%A0%B4%E7%96%91%E9%81%AD%E8%8F%AF%E9%BB%91%E5%AE%A2%E5%85%A5%E4%BE%B5-%E8%88%AA%E7%8F%AD%E8%B3%87%E6%96%99%E8%AE%8A-%E5%8D%97%E6%B5%B7%E6%98%AF%E4%B8%AD%E5%9C%8B%E7%9A%84?fbclid=IwAR3VzEaslA73NXA7x-V_3ghIodql8iE3W2wTjFTRV8fawlEkAlfu_FTvOBo

https://www.zdnet.com/article/iran-reports-failed-cyber-attack-on-strait-of-hormuz-port/

https://news.ltn.com.tw/news/world/breakingnews/3618540

http://www.tssdnews.com.tw/index.php?FID=9&CID=571695

Managing Cyber Insurance Accumulation Risk, p.46~ p.48, Risk Management Solutions, Inc.

Managing Cyber Insurance Accumulation Risk, p.49, Risk Management Solutions, Inc.

https://www.opengroup.org/forum/security-forum-0/openFAIRandquantitativerisk

指導教授

蔣偉寧

審核日期

2021-10-28

推文